Notices by Josh Bressers (joshbressers@infosec.exchange), page 2

@krakenbuerger @eff @sovtechfund I will totally take you up on that!

@bagder there are some choice quotes you can use in this article

https://cyberscoop.com/cisa-secure-by-design-house-hearing/

I'm looking for a new hoodie (suggestions welcome)

I have a few requirements. It has to be black and it has to be zip up

Bonus points for hacker, open source, or privacy focus

I'm currently leaning towards this from @eff

https://shop.eff.org/products/stay-golden-hooded-sweatshirt?variant=42581380694195

I just got my first "supply chain predictions for 2025" email!

I would start a thread asking for supply chain predictions, wrong answers only

except ... yeah

@bagder That number probably came from the episode with Brian Fox from Sonatype. 700K was the number of malicious packages :)

I like to look at the data from @ecosystems

They are tracking 10 million open source projects, 2.7 million of those published something in the last year

Of those 2.7 million

About 20,000 have more than one million downloads

Which is still a pretty wild number. And the Ecosyste.ms data doesn't have download numbers for everything, so there are generous error bars

@hobs @SpaceLifeForm @kurtseifried youch

This lines up with how I’ve seen commercial entities deal with weird bugs. It’s probably expensive to fix and cheap to ignore

I do think it’s something open source can do better than closed. It’s probably hard to fix and barely affects anyone, but if it affects the right nerd, they’ll get it done because it’s interesting

@fromthesocks @kurtseifried I don’t know of anything, but I’m not an expert :)

I wonder if @runZeroInc can do something here (they have a free version you should check out)

@silhouette @kurtseifried We do have a very North American view of things

I do hope Europe sees success with NIS2. It's all a pretty big deal and it's clear the EU gets it

Sadly I don't see a lot of positive movement on any of this for the foreseeable future in the US

@mattdm Exactly!

I have a thought brewing in my brain, but I'm not sure if it makes sense

Dealing with security flaws in dependencies often falls to #appsec teams, but should it? It's a different skill I think, closer to an #OSPO role than a security role

@Di4na @kurtseifried goodness no, I would never use my own money to buy a MacBook

It’s my work machine, I’m waiting for it to age out so I can get a Linux machine

All the security Apple has put into OSX 15 is starting to give me Windows Vista vibes

I will not be at all surprised if these "security features" backfire

Don't let social media define who you are

Let your pent up anger and rage define who you are

It’s called cyber Monday so we remember cyber Pearl Harbor

@simplenomad No way

You just tell him it’s what the force wanted Luke to do so he could help his father fulfill the prophecy

@webmink I don’t feel like this is the message I’m seeing in public

I feel it’s more like the foundations are saving open source from regulation

I need to ponder this

@xplora1a @simplenomad @kurtseifried I’m not sure I would make such a brazen statement

But yes :)

@Di4na @webmink I agree with this take. We frame this discussion as protecting the developers, but developers have options

I’ve yet to see the conversation treating this as helping the consumers of open source (who don’t have options)

Putting requirements on open source projects would no doubt end with a bunch of developers closing their projects

That’s the problem everyone should be talking about, yet we frame it as helping developers avoid a risk they can already avoid by quitting

@Viss @mttaggart @da_667

Here's a better graph. This is just the WP Plugins removed with 2024 still there for scale

@Viss @mttaggart @da_667 I graphed the CVEs with the Kernel and wordfence, patchstack, and wpscan removed (those are all the wordpress plugin bug bounty CNAs)